The EU's General Data Protection Regulation (GDPR) created Data Protection Authorities (DPAs) to monitor the application of the regulation.

This article will cover what DPAs are, what they do, what powers they have, how they're selected, how they interact with organizations and how to determine which DPA to contact should you need to.


What are Data Protection Authorities?

Each member state of the EU has a Data Protection Authority.

A DPA is an independent public authority which exists to protect privacy by ensuring that data protection laws are upheld at a national level. DPAs are also referred to as 'national supervisory authorities' since this is the term used by the GDPR.

Data Protection Authorities supervise and investigate to ensure that companies are complying with privacy laws. If a company fails to comply, DPAs have corrective powers they can utilize.

For example, DPAs are able to issue fines to private companies and public bodies who breach data protection laws. In addition, DPAs are able to offer expert data protection advice and handle complaints that have been made regarding breaches of the GDPR.

It's essential that each DPA is completely independent of government control and any other external influence to ensure fairness.

Finally, all DPAs are part of the European Data Protection Board (EDPB) which helps to ensure cooperation between the DPAs of each member state.

What Do Data Protection Authorities Do?

What Do Data Protection Authorities Do?

DPAs are tasked with enforcing data protection law, issuing penalties for non-compliance, providing guidance and dealing with complaints. This means they have responsibilities to national parliaments and governments, companies and members of the public.

Article 57 of the GDPR sets out the responsibilities of DPAs, which include but are not limited to:

  • Promoting public awareness
  • Advising the government, organizations and individuals about the law regarding data protection and processing
  • Investigating complaints lodged by a data subject or an organization
  • Monitoring developments within the remit of data protection
  • Cooperating with other DPAs
  • Authorizing model clauses
  • Maintaining a list of prohibited data processing activities
  • Keeping records of infringements and the methods that were taken to address any infringements

The duties and responsibilities of a DPA are broad. Article 57 even includes the catch-all task of fulfilling 'any other tasks related to the protection of personal data.'

How are Data Protection Authorities Selected?

DPAs are appointed at a national level. This means they are selected by national legislation within their member state and their powers of enforcement are largely limited to that particular jurisdiction.

Article 53 of the GDPR states that each DPA must have the 'qualifications, experience and skills...in the area of the protection of personal data, required to perform its duties.'

It also states that the procedure for appointment must be transparent.

What are the Powers of a Data Protection Authority?

What are the Powers of a Data Protection Authority?

DPAs are empowered to enforce data protection laws, advise national lawmakers about data protection, investigate potential breaches of the law, issue substantial fines and bring legal action against a company.

These powers can be broken down into:

  • The power to investigate
  • The power to correct, and
  • The power to advise and authorize

The Power to Investigate

DPAs have the power to investigate complaints from private individuals.

For example, a private individual may contact a DPA to complain about the way a company has handled their personal data.

If a DPA suspects a breach of compliance they have the power to investigate data controllers and data processors and demand they provide any information required to perform their investigation.

The Power to Correct

DPAs have the power to correct breaches of data protection law through various methods, depending on the severity of the breach.

A DPA may choose to issue a warning or a reprimand. They can also act on behalf of an individual who has made a complaint by forcing a data controller or processor to comply with the individual's request.

For example, a DPA can insist that the company in question allows the individual to exercise their data protection rights or force a company to tell an individual that their rights have been breached.

DPAs can also ban or restrict data processing activities when necessary.

Finally, perhaps a DPA's most well-known power is the power to issue substantial fines. These fines can be up to €20 million or upto 4% of a company's annual turnover - whichever is higher.

The Power to Advise and Authorize

DPAs have the power to advise governments, individuals and organizations alike. They also have the power to authorize high risk data processing activities which are restricted by national law.

In addition, DPAs can assist data controllers with Data Protection Impact Assessments (DPIAs) which may be particularly helpful to companies who are unfamiliar with carrying out these assessments.

The full list of DPA powers can be found in Article 58 of the GDPR.

How do Data Processors and Controllers Interact with Data Protection Authorities?

How do Data Processors and Controllers Interact with DPAs?

DPAs interact with both data controllers and data processors. In order to achieve compliance, it is crucial that organizations understand their relationship with DPAs and are informed about the roles and responsibilities of the same.

Firstly, it's important to know whether or not your organization is classed as a data controller or a data processor.

What are Data Processors and Data Controllers?

A controller is defined by their ability to exert control over the personal information that is being processed. They are responsible for processing activities and make the decisions.

The GDPR defines a controller as:

"the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data."

Unlike controllers, processors do not have overall responsibility of the data. They are acting on behalf of the controller.

The GDPR defines a processor as:

"a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller."

If your company is a data controller or data processor it is crucial that you know who your company's DPA is and how to contact them. It is also important to understand why a DPA may contact your company.

It is unusual for an organization to deal directly with a DPA, however there are certain circumstances where this would be necessary.

Let's consider these circumstances.

Why Might a Data Protection Authority Contact a Data Controller or Data Processor?

A DPA would contact a data controller or processor directly if they had received a complaint about their company or they had reason to believe the company has violated data protection law.

With regard to a complaint being made, the DPA would start by notifying the organization of the accusation that they have failed to comply with the GDPR.

Why Might a Data Controller or Data Processor Contact a Data Protection Authority?

There are a couple of key reasons a business may need to contact a DPA.

The first is simply to ask for guidance about an aspect of processing personal information within the remit of the law. This can help companies ensure that they remain compliant with the law.

In addition, companies are required to report data protection breaches to a DPA within 72 hours of the occurrence of the breach.

Another reason you may need to contact a DPA is if you require them to authorize a high risk data processing activity that is restricted by law in the country you operate in.

Finally, an organization may contact a DPA for assistance in completing a DPIA.

A DPIA helps companies to identify data protection risks and to minimise any risks identified. It is essential to carry out a DPIA for any processing task or project that is 'likely to result in a high risk to individuals.'

For example, profiling individuals on a large scale or processing biometric data for the purpose of identifying an individual would both be classed as 'likely to result in high risk to individuals.' Therefore, a DPIA should be carried out.

A DPAs power to advise on DPIAs may be particularly useful to companies who are unfamiliar with carrying them out.

Overall, it is important that data controllers and data processors maintain a good relationship with DPAs.

Since DPAs are so powerful, any organization contacting a DPA should make sure that their legal advisors are suitably experienced at communicating with DPAs and are knowledgeable about their functions and powers.

Data Protection Authorities by Member State

Data Protection Authorities by Member State

At the time of writing, these are the DPAs of each of the 28 member states of the EU:

Member State DPA
Austria Österreichische Datenschutzbehörde
Belgium Autorité de la protection des données - Gegevensbeschermingsautoriteit (APD-GBA)
Bulgaria Commission for Personal Data Protection
Croatia Croatian Personal Data Protection Agency
Cyprus Commissioner for Personal Data Protection
Czech Republic Office for Personal Data Protection
Denmark Datatilsynet
Estonia Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Finland Office of the Data Protection Ombudsman
France Commission Nationale de l'Informatique et des Libertés - CNIL
Germany Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit
Greece Hellenic Data Protection Authority
Hungary Hungarian National Authority for Data Protection and Freedom of Information
Ireland Data Protection Commission
Italy Garante per la protezione dei dati personali
Latvia Data State Inspectorate
Lithuania State Data Protection Inspectorate
Luxembourg Commission Nationale pour la Protection des Données
Malta Office of the Information and Data Protection Commissioner
Netherlands Autoriteit Persoonsgegevens
Poland Urząd Ochrony Danych Osobowych (Personal Data Protection Office)
Portugal Comissão Nacional de Protecção de Dados (CNPD)
Romania The National Supervisory Authority for Personal Data Processing
Slovakia Office for Personal Data Protection of the Slovak Republic
Slovenia Information Commissioner of the Republic of Slovenia
Spain Agencia Española de Protección de Datos (AEPD)
Sweden Datainspektionen
United Kingdom The Information Commissioner's Office (ICO)

How to Decide Which Data Protection Authority to Contact

How to Decide Which Data Protection Authority to Contact

If you operate solely out of one of the member states it will be obvious which DPA you should contact as you simply select the DPA for that member state. For example, if your company is located in Portugal and you only process the data of portugese citizens, your DPA would be the CNPD.

But what if you serve customers in several member states or have a physical presence in several member states? How do you know which DPA to contact?

This is where the 'one-stop shop mechanism' comes in. This mechanism was created to enable businesses who serve several member states to find their Lead Supervisory Authority. This means the company will only deal with one DPA as opposed to dealing with several DPAs across multiple member states.

The main DPA will be selected based on which DPA is operating in the company's 'main establishment,' which will usually be wherever the companies 'central administration' is located.

For example, if a company operates across the UK, France and Germany, but its Head Office is located in London, the 'Lead Supervisory Authority' would be the UK's DPA, the ICO.

The term 'central administration' is interpreted slightly differently depending on whether your company is a data controller or a data processor.

If you are a data controller, your place of 'central administration' will be decided based on where key decisions about data processing are made. With regard to data processors, the term 'central administration' is "the place where the main processing activities take place."

Summary

DPAs are independent bodies which exist to ensure that companies are complying with data protection laws. Each member state has a DPA.

In addition, DPAs are able to offer guidance about data protection law to governments, organizations and to members of the public.

They have several powers, such as the power to investigate, to correct, to advise and to authorize. DPAs are able to issue substantial fines to companies who fail to comply with national data protection law.

As a data controller or data processor, it's important to understand your relationship with DPAs. You should understand why you may need to contact a DPA. For example, to report a breach.

Additionally, you should understand why a DPA may contact you. For example, to advise you that a complaint has been made against your organization concerning data protection.

It's important to know which DPA to contact and this may not be straightforward if your company operates across several member states. A company's main DPA will usually be selected based on where its 'main establishment' is located. The EU created a 'one-stop shop mechanism' to help organizations to select an appropriate DPA.